RESERVE BANK OF INDIA

Transcription

1 भ रत य रज़वर ब क स चन गक वभ ग Corporate Communications Division RESERVE BANK OF INDIA Department of Information Technology Annexure-A RFP for RFP for providing certification services under ISO 27001:2013 Queries raised during Pre Bid meeting held on August 09, 2018 FAQs. Please refer to the RFP for providing certification services under ISO 27001:2013 released on the MSTC e-tendering site ( and RBI website. The FAQs containing responses to queries raised by prospective Bidders are given below. Bidders are advised to take the following clarifications/responses into account. Section Reference & Page No. RFP Clause Query RBI Clarification 8 (1) Scope Identification and Implementation Plan 8 (3) - Closure of audit finding & documentation Bank to provide inputs and Bidder to prepare the scope document and implementation plan Bank with assistance of the bidder Timeline expected is very less and we need minimum 3 months to prepare the scope document & Implementation Process. This is Bank Responsibility and there will not be any consultation post certification audit The clause may be read as Bank in the corrigendum 8 (5& 6) - Follow up reviews and First Surveillance audit to ensure ongoing compliance Bidder There is no review applicable post Certification Audit. Audit report is shared post audit and Auditee will have to follow-up on finding. Bidder will provide the Audit Plan prior to audit date. The clause may be read as First Surveillance Audit to ensure ongoing compliance in the corrigendum

2 Pg. 49; Checklist for Technical Evaluation (4) Experienced and skilled professionals having certifications and ISMS audit experience (ISO 27001:2013 valid Lead Auditor/Lead Implementer certificate, CISA, CISSP, and CISM) to carry out ISO 27001:2013 certification audit. No need to have auditor qualification for CISA, CISSP & CIS to carry out ISO 27001:2013 certification audit. Only IRCA/Certified Lead Auditor qualification should be sufficient We may remove the qualifications CISA, CISSP and CISM in the checklist for technical evaluation Phase 1 Points (i-vi) Phase 1 i. Identify and document the scope of ISO 27001:2013 certification in accordance with the overall policies and objectives of the Bank. ii. The Bidder shall work with the Bank to identify functional areas and processes to be covered in the scope as per ISO 27001:2013 certification requirement for the three data centres as indicated above and DIT, Central Office, Mumbai. iii. The Bidder shall develop a detailed implementation plan in consonance with the project milestones as indicated in Project Milestones for the four locations based on the scope agreed with the Bank. iv. The Bidder shall undertake a comprehensive review of the entire ISMS framework including IS policy framework, Business continuity plan, Information and Security controls and associated guidelines and procedures The bank is required to set the scope or boundary for the audit. Bidder shall not involve at any stage in consultation or advisory for any process for identifying the process required to be covered in scope definition. Bidder s role shall be to audit as per ISO 27001:2013 requirement as independent audit Bidder cannot develop an implementation plan. The role amounts to consultancy The comprehensive review for mentioned framework shall be taken as part of GAP audit, Stage 1 audit and subsequent surveillance audit provided no consultancy or advisory activity being sought. vi)no remedial action can be proposed post gap audit. vii) All closure on findings will be Bank s Responsibility on GAP report findings. viii)no such action is required but routine compliance and internal audits to be carries out. BVIL shall be doing the surveillance audits with in prescribed timeline and an audit plan will be

3 operationalized in the Bank relevant to managing risk and enforcing information security defined under ISO 27001:2013. submitted before the audit at each stage. v. Pre-certification Gap Assessment to determine the existing status of the IS framework of the Bank and identification of non-conformities and the associated information security risks. vi. The Bidder shall submit the audit report based on the gap assessment and propose remedial actions to fill the gap and achieve conformance to ISO 27001:2013 standard. Phase 2, Point -III Follow-up reviews and surveillance audit after a period of one and two years from the date of first certification awarded to confirm that the organization remains in compliance with ISO 27001:2013 standard. No follow up review is conducted by the bidder, but the Bank is required to conduct prescribed internal audits and management reviews based on ISMS standard. The clause may be interpreted as First and Second Surveillance Audit after a period of one and two years from the date of first certification awarded to confirm that the organization remains in compliance with ISO 27001:2013 standard. Page 17, Point 8, Milestone no 1 Scope Identification and Implementation Plan Milestone 1 cannot be done in line with above concerns raised.

4 Page 17,Point 8, Milestone no 2 i. Pre-certification Assessment ii. Gap Analysis Both Milestones are the same Page 17,Point 8, Milestone no 3 Closure of audit findings and Documentation Responsibility to be changed as Bank The clause may be read as Bank in the corrigendum Page 17,Point 8, Milestone no 5 and 6 Follow up reviews and First Surveillance audit to ensure ongoing compliance Follow up review to be removed The clause may be read as First Surveillance Audit to ensure ongoing compliance in the corrigendum Page 18, Point 8, Milestone no 1 Completion of the following milestones i. Pre-certification assessment I)&ii) are one and same ii. Gap Analysis Page 18, Point 8, Milestone no 2 Hand holding for addressing the issues found in Gap Analysis, Certification Audit and Award of certification for 1st Year ( ) for each of the four locations mentioned Handholding for issues found in gap audit cannot be done by certification body and the bidder shall not be doing it. No Change from what is indicated in the RFP Page 18,Point 8, Milestone no 4,6 Surveillance Audit and award of certification for each of the four locations mentioned for Certification for the second year i.e. ( ). Certification for three years is issued after stage 2 audit for 3 years validity and is not issued separately each year No Change in the Payment Terms from what is indicated in the RFP

5 Pt no 4 page 49 Experienced and skilled professionals having certifications and ISO audit experience (ISO 27001:2013 valid Lead Auditor/Lead Implementer certificate, CISA, CISSP, and CISM) to carry out ISO 27001:2013 certification audit Lead Implementer certificate, CISA, CISSP, and CISM) is not required as per ISO and to be removed We may remove the qualifications CISA, CISSP and CISM in the checklist for technical evaluation Indemnity Clause Page 34. Indemnity to the Bank i. The successful Bidder shall, at its own cost and expenses, defend and indemnify the Bank against all thirdparty claims including those of the infringement of Intellectual Property Rights, including patent, trademark, copyright, trade secret or industrial design rights, arising from use of the services thereof in India or outside India. ii. The successful Bidder shall expeditiously meet any such claims and shall have full rights to defend itself there from. If the Bank is required to pay compensation to a third party resulting from such infringement, the Successful Bidder shall be fully responsible therefore, including all expenses and court and legal fees. iii. The Bank will give notice to the successful Bidder of any such claim and shall provide reasonable The clause needs to be rationalised in view of the audit service being done by certification body. The bidder shall not be providing any information in audit or take away any record or documents from audit in physical or digital format which may be resulting in any threat to any of bank s regular services. I), ii) and iv) needs to be revised in relevance No change from what is indicated in the RFP

6 assistance to the Successful Bidder in disposing of the claim. The successful Bidder shall also be liable to indemnify the Bank, at its own cost and expenses, against all losses/damages, which the Bank may suffer on account of violation by the Successful Bidder of any or all national/international trade laws, norms, standards, procedures, etc. Section- 4 (Page 10) Phase- I- VI Section-5 (Earnest Money Deposit) In tender Page No.11- And in Tender Page No. 10- Clause No. V (Pre- Certification Gap Assessment) is covering this requirement. Hence, we request you to kindly delete Clause No. 4 Phase i- vii in Tender Page No. 10 which is repeating this requirement Kindly, consider the EMD of amount Rs. 18,000/- in the form of demand draft instead of Bank Guarantee No change from what is indicated in the RFP EMD should be in the form of Bank Guarantee Only.